Lucene search
Veracode Vulnerability DatabaseVERACODE:25941HistoryJul 23, 2020 - 2:01 a.m.
Authorization Bypass
2020-07-2302:01:37
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10
parse-server
graphql
authorization bypass
security restrictions
user object
EPSS
0.001
Percentile
43.0%
parse-server is vulnerable to authorization bypass. The vulnerability exists in the GraphQL viewer where an authenticated user can bypass the read security restrictions, and all objects linked through relation, placed on his User object.
References
github.com/advisories/GHSA-236h-rqv8-8q73
github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
github.com/parse-community/parse-server/pull/5745
github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
Related
cvelist
cvelist
CVE-2020-15126 Information disclosure through Viewer query in parse-server
2020-07-22 23:05:19
cve
cve
CVE-2020-15126
2020-07-22 23:15:11
osv
osv
GraphQL: Security breach on Viewer query
2020-07-22 23:06:47
CVE-2020-15126
2020-07-22 23:15:11
nvd
nvd
CVE-2020-15126
2020-07-22 23:15:11
github
github
GraphQL: Security breach on Viewer query
2020-07-22 23:06:47
prion
prion
Design/Logic Flaw
2020-07-22 23:15:00